defdeveu courses
defdeveu courses
README
secdev courses
Java
JavaScript
Android
iOS
.NET
C/C++
Webapps in general
Testing courses
Mobile testing automation
Security test automation in CI/CD pipelines
Burp for developers
DevSecOps courses
Docker security
AWS security
Control courses
Assisted code-review lab
S-SDLC playbook
Library
Mobile security baseline
Hacking applications
Language specific
Delivery
Main features
Agenda structure
Days and kits
Trainer formations
Course materials
Trainers
Glenn ten Cate
Marek Zachara
Péter Nyilasy
Riccardo ten Cate
Timur Khrotko
Zsombor Kovács
Powered by GitBook

C/C++

About the course

Properties

title: Secure development in C/C++

audience: senior/medior developers, lead devs, testers and security champions

duration: 1 or 2 days (7 or 12 hrs education time), depending on the actual kit of topics applicable/required (see Agenda below)

developed by: Marek Zachara

Prerequisites

We assume that the developers attending the secdev course:

  • are familiar with the C/C++ language, can compile and execute the programs

  • specific focus of the course (see below) may result in additional prerequisites

Related courses

Agenda

Due to the variety of applications, ranging from embedded to large scale deployments, real-time and critical systems that are built in C/C++, we recommend to tailor the training for the specific needs of the particular development team.

The list of modules below illustrate the scope to choose from, however the exact scope and detail level is pre-arranged to suit the specific needs of the attendees.

A. Principles and practice of secdev

  • Defense in depth principles

  • Standards and practices

  • Various types of weaknesses and vulnerabilities

B. Secure architecture

  • Threat modeling

  • Risk assessment

  • Security by design

  • Checkpoints

C. Buffer overflows

  • Stack overflows

  • Heap overflows

  • String formatting issues

  • Array and string indexing

D. Value overflows

  • Integer overflows

  • Float limitations

  • Type casts

E. Safe data handling

  • Secure memory handling

  • Safe pointers

  • Removal of sensitive data

F. Input validation

  • Common errors

  • Injections

  • Unsafe type casts and conversions

  • Regular expressions

  • Validation practices

G. Introduction to cryptography

  • Symmetric and asymmetric encryption

  • Communication encryption

  • Storage encryption

  • Password handling

H. Multithreading

  • Deadlocks, starvation, etc.

  • Race conditions

  • Accessing external resources

I. Analysis of the source code

  • Automated analysis with existing tools

  • Code review

  • OWASP ASVS

J. Integrations with external programs

  • Safe and unsafe APIs

  • Secure libraries

  • Module isolation, wrappers, etc.

Trainers

Lead trainer:

Co-trainers:

secdev courses - Previous
.NET
Next - secdev courses
Webapps in general
Last updated 11 months ago
Edit on GitHub
Contents
About the course
Properties
Prerequisites
Related courses
Agenda
Trainers